Caltech/MIT/UW V&V MURIR. Murray, CDS

Specification, Design and Verification of Distributed Embedded Systems

Mani Chandy John Doyle Richard Murray (PI)California Institute of Technology

Eric Klavins Pablo ParriloU. Washington MIT .

AFOSR Dynamics and Control Meeting5 August 2008

1

Richard M. Murray, Caltech CDSTeam Caltech, Jan 08

Motivating Example: Alice (DGC07)Alice• 300+ miles of fully autonomous driving• 8 cameras, 8 LADAR, 2 RADAR• 12 Core 2 Duo CPUs + Quad Core• ~75 person team over 18 months

Software• 25 programs with ~200 exec threads• 237,467 lines of executable code

2

Richard M. Murray, Caltech CDSTeam Caltech, Jan 08

2007 National Qualifying Event

3

Merging test• 10-12 cars circling past inters’n• Count “perfect runs” in 30 min

Results• First run: tight corners caused Alice

to stop in intersection• Second run: bugs introduced while

trying to improve performance; caused multiple “aggressive” events

Richard M. Murray, Caltech CDSCaltech, August 2008

MURI Goals + Talk OutlineOverall Goal: Develop methods and tools for designing control policies, specifying the properties of the resulting distributed embedded system and the physical environ-ment, and proving that the specifications are met

Specification• How does the user specify---in a single formalism---

continuous and discrete control policies, communications protocols and environment models (including faults)?

Design and reasoning• How can engineers reason that their designs satisfy the

specifications?

• In particular, can engineers reason about the performance of computations and communication, and incorporate real-time constraints, dynamics, and uncertainty into that reasoning?

Implementation (joint with Boeing, JPL, AFRL)• What are the best ways of mapping detailed designs to

hardware artifacts, running on specific operating systems? What languages are suitable for specifying systems so that the specifications can be verified more easily?

Outline

I. Embedded Graph Grammars (EGGs)

II. SOS extensions for hybrid and networked systems

III. Combining temporal logic and dynamics

IV.Reasoning about stochastic & adversarial environments

V. Summary

4

Richard M. Murray, Caltech CDSCaltech, August 2008

CCL: Computation and Control LanguageFormal Language for Provably Correct Control Protocols

Klavins and MIEEE PC, 2004

P(k1,k2) := { initializers guard1:rule1 guard2:rule2 ...

}

S(k1,k2):=P(k1,k2)+C(k1+1)

"soup" of guarded commands

composition = union

non-shared variables remain local to

component programs

Guarded command language:

Execution semantics and properties• Any rule whose guard is true can be executed at

any time; no synchronization between agents

• Specify desired properties using temporal logic p ≡ always p (invariance) ◊p ≡ eventually p (guarantee) p → q U r ≡ p implies q until r (precedence) ◊p ≡ always eventually p (progress) ◊p ≡ eventually always p (stability)

Richard M. Murray, Caltech CDSCaltech, August 2008

Embedded Graph Grammars (McNew et al)Defn An embedded graph is a tuple G = (V, E, z, e) such that

• V is a set of vertices (agents)

• E is a set of edges representing agents that can communicate with each other

• z is a set of vertex variables (properties; eg, location)

• e is a set of edge variables (properties; eg, relationship)

Defn An embedded graph grammar is a pair (F, u) where

• F is a set of local rules (for each agent)

• u is a set of local controllers (for each agent)

Design problem: find (F, u) such that the dynamics g(t) ∈ G have desired set of properties under asynchronous execution

6

Continuous flow via (local) control laws

c

b

cbd

dc

b

cbd

d c

b

ab

d cb

a

d

ce e

cec

bec

t0 t1- t1+ t2

Discrete, instantaneous (local) update to network topology

Continuous flow via (local) new control laws

Richard M. Murray, Caltech CDSCaltech, August 2008

Lexicographically Ordered Lyapunov FunctionsDefn Let A ⊂ G be closed under a graph grammar Φ and let ≼ be an ordering on Rk with a unique zero element. A function U:A → Rk is a discrete Lyapunov function for the graph grammer Φ if

• U(G) ≻ 0 implies at least one rule is applicable

• U(G) = 0 implies no rule is applicable

• When U(G) ≻ 0, ever applicable rule decreases U

Theorem (McNew et al) Suppose (G0, Φ) is a system, P is a set of desired final graphs, A is a set of Φ invariant graphs and U is a discrete Lyapunov function so that A ∩ U-1(0) ⊂ P. If G0 ∈ A, then every trajectory converges to a final graph in P.

Defn The lexicographic ordering (Rn, ≼) is defined as (a1, a2, …, an) ≺ (b1, b2, …, bn) if a1 < b1 or there exists a k such that ai = bi for all i ≤ k and ak+1 < bk+1.

Corollary Suppose Φ1, Φ2 are two grammars with invariant sets A and B and discrete Lyapunov functions U and V. If A ∩ B is closed under applications of rules in Φ1 ∪ Φ2, and there exists a lexicographic order of elements of U, V with respect to Φ1 ∪ Φ2 then every trajectory converges to a final graph in A ∩ B ∩ U-1(0) ∩ V-1(0).

Remark Allows constructive techniques for combining basic behaviors...

7

Richard M. Murray, Caltech CDSCaltech, August 2008

Triangulation: Vehicles achieve uniform cover-age from arbitrary initial conditions (HSCC 07).

Load Balancing: Vehicles cover targets in equal numbers while maintaining connectivity (CDC 06).

Reconfiguration: Vehicles change formations while maintaining network connectivity (ACC 08).

• Each task requires mode-switching and communication.

• Solutions are completely decentralized.

• Each solution comes with safety and progress guarantees.

• More tasks and proof methodologies in J.M. McNew’s thesis (Ph.D. in Sept. 2008).

8

Example Tasks

Caltech/MIT/UW V&V MURIR. Murray, CDS

Proof Certificates for Stability and Sum of SquaresCertifying stability for dynamical systems• Given a (controlled) dynamical system,

determine whether the system is stable and estimate the region of attraction

• Traditional technique: find a Lyapunov function that serves as a “proof certifi-cate” for stability and gives a set that is guaranteed to be in region of attraction

Sum-of-squares approach• Approximate the Lyapunov certificate

with a sum of squares; solve a convex programming problem

• Constructive algorithm for finding Lyapunov functions; rapidly becoming a standard computational approach

DCAT, 12 Feb 02 Richard M. Murray, Caltech 1

Extensions• SOSTOOLS – MATLAB package for

finding SOS certificates• Proof certificates for hybrid dynamica

systems (barrier certificates)• Incorporating stochastic inputs (noise,

disturbances)• Current work: incorporating temporal

logic specifications (focus of MURI)

9

Richard M. Murray, Caltech CDSCaltech, August 2008

Non-Monotonic Lyapunov Functions (Ahmadi et al)Goal: easier conditions for stability and performance of hybrid systems• Traditional Lyapunov-based analysis

relies on monotone invariants (e.g., energy)

• This often forces descriptions requiring high algebraic complexity

• Is it possible to relax the monotonicity assumption?

Thm Consider a discrete-time linear system xk+1 = f(xk). If there exists a scalar τ ≥ 0 and a continuous radially unbounded function V such that V(x) > 0 ∀ x ≠ 0, V(0) = 0 and τ(Vk+2 - Vk) + Vk+1 - Vk < 0 then the origin is global asymptotically stable.

Pf Show that for any Vk, either Vk+1 or Vk+2 is less than Vk and construct a converging subsequence

Remarks• Can reformulate results as convexity-

based conditions, checkable by SOS/semidefinite programming

• Easy to apply, more powerful than standard conditions

• Connections with other techniques (e.g., vector Lyapunov functions)

• Many extensions to discrete/continuous/hybrid/switched, etc.

Complicated V

Simpler Vx

1

x2

Richard M. Murray, Caltech CDSCaltech, August 2008

Formal Reasoning for Dynamics + ProtocolsAsynchronous Iterative Processes (Tsitsiklis, 1987)• S = states, S0 = starting states (mixed continuous and discrete)• A = set of actions, E = enabling predicate, T = transition function• E(s, a) holds if an only if the transition labeled by a can be applied to s• s’ = T(a, s) if a is enabled at s or s’ = s

• d = distance function on S* ⊆ S: ∀ s ∈ S*, s’ ∈ S*, d(S*, s) > d(S*, s’)

Defn Let A = (S, A, S0, E, T) be an automaton, s* a state in S and d a distance function for s*. The automaton A is (s*, d)-stable if ∀ ε > 0, ∃ δ > 0 such that ∀ s ∈ S, aω ∈ Aω, n ∈ N, s ∈ Bδ(s*) ⇒ Trans(s, aω, n) ∈ Bε(s*).

Thm Let S* be a nonempty subset of S and let d be a distance function for S*. Suppose there exists a totally ordered set (T, <) with sublevel sets Lp and a function f:S → T that satisfies the following conditions

• ∀ ε ≥ 0, ∃ p ∈ T such that Lp ⊆ Bε(S*)

• ∀ p ∈ T, ∃ ε ≥ 0 such that Bε ⊆ Lp

• ∀ s ∈ S, a ∈ A, E(a, s) ⇒ f(T(a, s)) ≤ f(s)

Then A is (S*, d)-stable11

Proof via PVS metatheory ⇒ allows reasoning in theorem- proving environment

Caltech/MIT/UW V&V MURIR. Murray, CDS

Distributed Control with Messages (Chandy, Mitra)Convergence verification for partially synchronous systems• Mechanical transformation from shared-memory

algorithms to message-passing algorithms• Use Tsitsiklis formalism + timed I/O automata (TIOA) to

show that if an algorithm converges using shared mem-ory, it converges using message passing Relatively modest assumptions on messages

• Show that programs (designs) are within the specifiedclass of algorithms ⇒ can robustly distributed

12

Agentscomputeaverage

Agentscomputeconvex hull

Agentsmove informa5on

Agentscomputepaths

AgentsCompute

max

Javaprogram

Erlangprogram

Javaprogram

Erlangprogram

Javaprogram

Erlangprogram

Javaprogram

MLprogram

Javaprogram

MLprogram

Richard M. Murray, Caltech CDSCaltech, August 2008

Stochastic SystemsIncreased interest in stochastic behavior• Need to eason about probability of events and stochastic performance measures• Formal reasoning systems allow non-determinism (in events), but often don’t include

random variables and processes

Model reduction using Wasserstein pseudometrics (Thorsley et al)• Define a formal distance between stochastic processes• Enables reasoning about complicated systems by producing simpler models• Details: Thorsely & Klavins (ACC, 2008)

Polynomial stochastic games via sum of squares optimization (Shah et al)• Generalize Markov decision processes to game theoretic settings• Can show that equilibria for certain classes of two-player, zero-sum, infinite strategy

games can be solved via SDPs (eg, SOS-tools)• Provides possible method to extend current results to adversarial environments• Details: Shah & Parrilo (CDC, 2008)

http://www.cds.caltech.edu/~murray/VaVMURI

13

Richard M. Murray, Caltech CDSCaltech, August 2008

Implementation ToolsMission Data System (MDS) → Hybrid Automata• Conversion of goal network to hybrid automata

that can be verified using PHAVer, SPIN, etc• Joint work with JPL, applying to Titan mission

PVS metatheory for asynchronous iterativeprocesses• “Library” for reasoning about stability in PVS• Being used for verifying multi-robot protocols

Applications to Alice, MVWT• Applying tools to verify behavior of Alice (starting

with fixing DGC07 failure mode!)

14

Goal

Elab Tac5c 1

Elab Tac5c 1OR

Elab Tac5c 2

Elab Tac5c 2

Location Creation

Constraint Merging

Transition Creation

Location Removal

XML Input Parser

PHAVer Output Parser

Spin Output Parser

OnlineOptimization(RHC, MILP)

Sensing

External Environment

ProcessActuation

Feeder:Reliable

StateServer

(KF -> MHE)Inner Loop(PID, H∞)

Com

man

d:FI

FO

1-3 Gb/s

Sensing

Traj:Causal

ActuatorState:Unreliable

Map:CausalTraj:Causal

10 Mb/s

Networked Control Systems(following P. R. Kumar)

Online Model

StateServer

(KF -> MHE)

State:Unreliable

StateServer

(KF, MHE)

100 Kb/s

OnlineOptimization(RHC, MILP)

OnlineOptimization(RHC, MILP)

Mode andFault

Management

Memory andLearning

Goal Mgmt(MDS)

Attention &Awareness

Caltech/MIT/UW V&V MURIR. Murray, CDS 16

FUNDING ($K)—Show all funding contributing to this project FY06 FY07 FY08 FY09 FY10 AFOSR Funds 417 1000 1000 1000 1000Boeing 310 390 390 390 390DARPA GC 1200

TRANSITIONS• Application to autonomous driving (DGC07)

STUDENTS, POST-DOCS 2006-08: 12 graduate students, 4 postdocs, 4 undergraduates

LABORATORY POINT OF CONTACT Dr. Siva Banda, AFRL/RBCA, WPAFB, OH

APPROACH/TECHNICAL CHALLENGES• Specification and reasoning using graph grammars• Sum of squares analysis for certificates, invariants• Extensions to probabalistic, adversarial and

networked operations

ACCOMPLISHMENTS/RESULTS•Embedded graph grammars for cooperative control•Lyapunov-based verification of temporal properties•Stochastic games using semidefinite programming•Tools for converting goal networks to hybrid FSM•Applications examples with DARPA GC + JPL

Long-Term PAYOFF: Rigorous methods for design and verification of distributed systems-of-systems in dynamic, uncertain, adversarial environmentsOBJECTIVES• Specification language for continuous & discrete control policies, communications protocols and environment models (including faults)• Analysis tools to reason about designs and provide proof certificates for correct operation • Implementation on representative testbeds

Net-Centric Battlespace Management

Specification, Design and Verification ofDistributed Embedded Systems

Caltech/MIT/UW, Murray (PI)/Chandy/Doyle/Klavins/Parrilo